It's after the Holidays. Here's what's happening at one New York law firm (and possibly many): A report from its technology consultant shows the firm is at high risk for a data breach. The firm's clients require evidence of stronger technology controls and data security policies, including compliance with data privacy laws. The firm's IT director has a lengthy and costly wish list from last year for technology upgrades. Meanwhile, a major client has scheduled an onsite data audit involving physical inspection of the firm's offices. The client has its own pass-through cybersecurity and privacy obligations to its own clients and is, itself, under intense scrutiny. The Holidays are truly over.

Old Wine in New Bottles, or New Wine in Old Bottles?

Lawyers are guardians of client data. They have always been the protectors of confidentiality, the preservers of privilege and the keepers of security. Before the digital age, the lawyer's role in managing these duties was relatively uncomplicated, primarily because client data was not a product of technology as we know it today. Client data existed in physical, tangible form and client documents were created on paper using a fountain pen or typewriter, delivered by hand or courier, and stored in the lawyer's office or off-site. Reasonable safeguards were (presumably) employed by the lawyer's firm based on appropriate security standards of yesteryear, without the lawyer's direct involvement or knowledge. There were rarely any sensational confidentiality breaches or security incidents that grabbed the attention of clients, regulators or the media. Protection of client data back then was no less important than it is today, but the risks of theft, loss or hacking were mostly unheard of, which meant that the lawyer's personal efforts to proactively protect client data were not a significant concern that needed client or regulatory oversight.

With the advent of technology and its pervasive use in the delivery of legal services, everything has changed. Much client data is now intangible and invisible, stored on hard drives, servers, devices or the cloud. Nonetheless, lawyers have a duty to see or foresee the risks and avoid them. The most noteworthy shift is in the perception of the lawyer's role in using technology for client work. Updates to Rule 1.1 of New York's Rules of Professional Conduct have reshaped our understanding of the duty of competence. This ramped-up duty requires lawyers to not only be legally competent, but to be technologically competent as well. Competence under Rule 1.1 does not require a mastery of the subject of technology, but rather an adequate understanding of the available technology tools and, most importantly, the potential risks in using technology tools for legal work and the security features that should be employed to avoid loss, damage or misuse of client data. Essentially, this means that the firm's IT department across the hallway (or the ocean) no longer plays a mere operational support function; instead, it has a vital and integral role in the process of delivering legal services. Any technological issue facing the lawyer—misdirected email, improperly redacted documents, metadata, storing corporate data in the cloud, putting sensitive client documents on a flash drive, bringing your own device—can become a critical firm or client issue that can create risks to confidentiality, privilege, privacy, information security and cybersecurity.

A Kaleidoscope of Concerns

Let's turn back to the not-so-hypothetical hypothetical in the introduction, where multiple information security and privacy concerns were swirling around our beleaguered (fictional) law firm. The first thing to keep in mind is that lawyers need to keep a watchful eye on everything concerning client data, not only on any one thing: information security (of which cybersecurity is a part), to prevent the unauthorized or mischievous misuse of technology or the physical work environment; data privacy, to protect personal data from improper use; confidentiality, to safeguard information relating to the representation from unauthorized use or inadvertent disclosure; and attorney-client privilege, to preclude disclosure of attorney-client communications involving legal advice.

Information security, data privacy, confidentiality and privilege are, to some extent, related concepts that overlap and intersect with each other. Lawyers need to be aware of their interaction and understand that taking steps to protect one may not be sufficient to safeguard any or all of the others. Consequently, client data could potentially be left open to significant risk of loss, misuse and disclosure. To illustrate, moving client data to the cloud may enhance information security, but may compromise privilege if proper measures are not taken to preserve it; having a confidentiality policy without addressing data privacy concerns could make the firm susceptible to privacy claims and hackers; and maintaining carefully organized files of privileged information without paying attention to information security could leave the firm vulnerable to a panoply of cyber-breaches, which are an increasing concern for law firms. These concepts demand that lawyers and firms move beyond their traditional comfort zone to embrace the technological challenges, responses and opportunities inherent in managing information security and data privacy, while recognizing the new demands that this places on resolving the more lawyerly concerns of confidentiality and privilege.